Honestly when are these antivirus companies going to learn that this behavior is unacceptable? You can't go around deleting people's core system files because your 1 day old untested new virus signatures "think" they found something suspicious. Give me a break! How many times do we have to keep having this discussion?

Quote

McAfee pushed out a virus definition update, 5958, at 14:00 PDT that causes false positive identification of the critical Windows system file svchost.exe. Machines running Windows XP Service Pack 3 using the 5958 definitions will delete the file, causing many key Windows services to fail to start. The Windows file is being mistakenly detected as W32/wecorl.a. Failure to start svchost.exe causes Windows to automatically reboot, hindering repair efforts.

Holy crap, that's a nasty one. I think also at fault here is the default behavior being delete, and lack of any white list or safeguards. I mean come on, one would think that with an easily identifiable core system file it would first attempt to *clean*, and then failing that, it would warn the user and *leave the file intact*. Better to have a core system file infected but intact so that other tools could attempt cleanup than delete the file and possibly thwart attempts at repair.

And this is the reason that a lot of people don't trust AV software- because the cure can be worse than the disease. I'm more than a little bit upset with AVG that it deletes my NSIS files whenever they are found.

@JavaJones: Yes. When I migrated from Avast! to WSE (MS Windows Security Essentials) I followed the advice of someone on the DC forum and changed the default settings to "Quarantine" action, rather than let the thing delete according to its previous default rules.

I therefore concur with your comment:

Quote

"...I think also at fault here is the default behavior being delete, and lack of any white list or safeguards..."

I haven't looked at McAfee since a time in the mid-90's when an overnight update brought two floors worth of PCs to their knees performance-wise - and the client decided it was all my fault because I originally spec'ed the systems.

And here I thought I was maybe carrying a grudge because I've considered McAfee To be undependable ever since.

This is completely inexcusable. How can a supposedly major computer security software company, one that probably has more of its products pre-installed on systems world-wide than any other developer, possibly allow such a bug to be released to an unsuspecting public?

How can a virus definitions update that removes svchost.exe - a well-known vital Windows core system file - not realize it? Surely some testing would have been done by even the most careless developer!?!

This is why I have NOD32 configured to NEVER clean any suspected infection. I have all settings so that they quarantine and notify me. Never "clean", which simply means DELETE. These flaming idiots can't recognize a false positive? I'd like to say that I am not surprised, but this one surprises me. Damn!

Here's my patent-pending idea for AV companies to help solve at least some of these problems... never automatically delete any file properly signed by Microsoft. You might even want to make it difficult to allow the user to initiate a delete operation on such a file. Maybe have malware detected in such a file initiate a report to your tech support - either the user's computer is totally owned by malware, the malware detection has a significant flaw, or Microsoft has screwed something up royally.

Any of these 3 situations warrants careful consideration of the proper next steps, not just a blind delete (or even quarantine, in my opinion).

I don't think it is a great idea. It would mean that every freeware application would need to be signed and I don't think that a lot of the developers would have the money to do this. I think this is one of the advantages of Windows, being able to create your little, useful application at home, run it, and then being able to distribute it around the world, on other Windows OSes where (hopefully) it will work.

Reading again I should have worded my post slightly differently. As you say in caps, 'DID' because whatever the edition type, both home and professional users know McAfee can no longer be considered a reliable solution. Any business worth its salt will never deploy a new version without having trialled it in a sandbox box environment for at least a month first. Then, after deployment all definition updates would never be pushed out as they come in, rather deployed to a red test network first, then once proven the Admin would allow deployment. These false positives should then be caught before doing any harm. Most FP's have an understandable, underlying reason but for Mcafee to bang out these FP's without undergoing a basic degree of QA first is unacceptable.There is really only one solution in the Enterprise arena that has a reliable and proven track record, which is why when McAfee contracts are up for renewal, they aren't, and are jumping ship ASAP.

Reading again I should have worded my post slightly differently. As you say in caps, 'DID' because whatever the edition type, both home and professional users know McAfee can no longer be considered a reliable solution. Any business worth its salt will never deploy a new version without having trialled it in a sandbox box environment for at least a month first.

I agree that companies should be more careful than McAfee apparently was this time, but I'm not sure how your statement above relates to the McAfee debacle in question. McAfee wasn't putting out a new version of the software but simply new definitions, something they do every day. Yes, they screwed up big time, but it had nothing to do with a new version of the software. And, as Jim has already pointed out, your statement about "mickey mouse personal 'anti-virus' software" also seems off target.

I understand that companies should - and hopefully most do - test all new software/versions before rolling them out to the client boxes, however we are talking about virus definition files here. It is not reasonable to expect any IT dept. to test every virus def. update as they are often released several times daily. Heck, some companies - like Eset which I use - send out definition files hourly and even more frequently if needed!

I do agree that McAfee is remiss in not having tested the subject release a bit more thoroughly before foisting it on their (former??) customers.